On 2026-02-11 11:29:43 [-0500], Willem de Bruijn wrote: > I think we should look at the locking. It is not clear to me that > sk_callback_lock needs to be held here at all. > > From the lock documentation itself its use is more limited. > > sk->sk_socket->file is indeed dereferenced elsewhere without holding > such locks. > > sk_capable is another indication.
That skb has a socket reference so that skbs should have a reference on 'sk' so it can't go away while the skb is around. sk_socket should be assigned once while sk is created and not change. Also that ->file should be assigned on accept and remain stable. That assignment happens in sock_graft() under the lock or in sock_init_data_uid() without it (but it both cases it should be new). If you close that socket then I think sock_close() will be invoked which ends in __sock_release() and assigns NULL to ->file. The filep itself is SLAB_TYPESAFE_BY_RCU (as it comes from alloc_file_pseudo()) so it safe to access it while in IRQ/ softirq because it can not go away. It should invoke sock_orphan() which sets ->sk_socket to NULL under the lock. I don't think that orphan can be called from outside the close path. And inode (socket) remains around as long as the filep is there. So based on this, if sk->sk_socket->file is accessed from within a syscall then the chain up to file should be valid because the fd can not be closed and so anything in that chain up to file become NULL. >From within the IRQ/ softirq a close on the fd/ socket should not result in an immediate release. I *think* the skb holds sock holds the socket. If so that skb would hold the destruction of the socket back and this would make it safe to access it without the lock. This is the theory so far. Sebastian
